Check Point Research (CPR) uncovered a new email hijacking campaign attributed to ATP group Phosphorus
Cybersecurity giant Check Point discovered a new email spear-phishing campaign against high-profile Israeli and US executives, in which the threat actors hijacked emails of senior Israeli officials and used them to target other officials in order to steal personal information.
According to the latest report by Check Point Research (CPR), the attackers - believed to be backed by Iran – have been taking over existing accounts of high-profile individuals and creating “fake impersonating accounts to lure their targets into long email conversations.”
They then continue the hijacked conversation from the fake email and exchange several additional emails with the target.
The researchers believe that the campaign’s goal is to “steal personal information, passport scans, and access to email accounts. CPR sees that the operation dates to at least December 2021 but assumes earlier.”
Some of this campaign’s high-profile targets include former Israeli Foreign Minister, Tzipi Livni, a former US Ambassador to Israel, a former IDF Major General of the IDF, and three others.
The attacks, which have been taking place for at least six months, are attributed to an Iran-backed entity. “Evidence points to a possible connection of the operation to the Iran-attributed Phosphorus APT group,” says the report.
“The group has a long history of conducting high-profile cyber operations, aligned with the interest of the Iranian regime, as well as targeting Israeli officials.”
Phosphorus is a well-known, heavily researched threat group, which focuses on campaigns using sophisticated social engineering. It is also known as – or affiliated with – Charming Kitten and ATP35, among other names. It is believed to have been behind high-profile attacks such as the one against HBO in 2017, as well as US-election interface campaigns.